{"customFields": {}, "metrics": {}, "tlp": 2, "pap": 0, "tasks": [{"order": 0, "title": "1 | RA1001: Practice", "group": "Preparation", "description": "Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.  \nYou need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in **your environment**, i.e. blocking an IP address or a domain name.  \n", "owner": ""}, {"order": 1, "title": "2 | RA1002: Take trainings", "group": "Preparation", "description": "> We do not rise to the level of our expectations. We fall to the level of our training.  \n\nHere are some relevant training courses that will help you in the Incident Response activities:  \n\n1. [Investigation Theory](https://chrissanders.org/training/investigationtheory/) by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team  \n2. [Offensive Security](https://www.offensive-security.com/courses-and-certifications/) trainings. We recommend [PWK](https://www.offensive-security.com/pwk-oscp/) to begin with  \n3. [SANS Digital Forensics & Incident Response](https://digital-forensics.sans.org/training/courses) trainings  \n\nOffensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques.  \n\nAt the same time, we assume that you already have a strong technical background in fundamental disciplines \u2014 Networking, Operating Systems, and Programming.  \n", "owner": ""}, {"order": 2, "title": "3 | RA1004: Make personnel report suspicious activity", "group": "Preparation", "description": "Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.  \nMake sure that the personnel is aware of it, can and will use it.  \n", "owner": ""}, {"order": 3, "title": "4 | RA1003: Raise personnel awareness", "group": "Preparation", "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of \nsuccessful spearphishing, social engineering, and other techniques that involve user interaction.\n", "owner": ""}, {"order": 4, "title": "5 | RA1101: Access external network flow logs", "group": "Preparation", "description": "Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.  \nIf there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.  \n\nWarning:  \n\n- There is a feature called [\"NetFlow Sampling\"](https://www.plixer.com/blog/how-accurate-is-sampled-netflow/), that eliminates the value of the Network Flow logs for some of the tasks, such as \"check if some host communicated to an external IP\". Make sure it's disabled or you have an alternative way to collect Network Flow logs  \n", "owner": ""}, {"order": 5, "title": "6 | RA1104: Access external HTTP logs", "group": "Preparation", "description": "Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured.  \n", "owner": ""}, {"order": 6, "title": "7 | RA1106: Access external DNS logs", "group": "Preparation", "description": "Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured.  \nIf there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.  \n\nWarning:  \n\n- Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.  \n- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.  \n", "owner": ""}, {"order": 7, "title": "8 | RA1111: Get ability to block external IP address", "group": "Preparation", "description": "Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets.  \n\nWarning:  \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  \n", "owner": ""}, {"order": 8, "title": "9 | RA1113: Get ability to block external domain", "group": "Preparation", "description": "Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets.  \n\nWarning:  \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  \n", "owner": ""}, {"order": 9, "title": "10 | RA1115: Get ability to block external URL", "group": "Preparation", "description": "Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets.  \n\nWarning:  \n\n- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.  \n", "owner": ""}, {"order": 10, "title": "11 | RA1201: Get ability to list users opened email message", "group": "Preparation", "description": "Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.\n", "owner": ""}, {"order": 11, "title": "12 | RA1202: Get ability to list email message receivers", "group": "Preparation", "description": "Make sure you have the ability to list receivers of a particular email message using the Email Server's functionality.\n", "owner": ""}, {"order": 12, "title": "13 | RA1203: Get ability to block email domain", "group": "Preparation", "description": "Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality.  \n", "owner": ""}, {"order": 13, "title": "14 | RA1204: Get ability to block email sender", "group": "Preparation", "description": "Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality.  \n", "owner": ""}, {"order": 14, "title": "15 | RA1205: Get ability to delete email message", "group": "Preparation", "description": "Make sure you have the ability to delete an email message from an Email Server and users' email boxes using its native functionality.\n", "owner": ""}, {"order": 15, "title": "16 | RA1206: Get ability to quarantine email message", "group": "Preparation", "description": "Make sure you have the ability to quarantine an email message on an Email Server using its native functionality.  \n", "owner": ""}, {"order": 16, "title": "17 | RA2003: Put compromised accounts on monitoring", "group": "Identification", "description": "Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.  \nLook for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.  \nKeep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.  \n", "owner": ""}, {"order": 17, "title": "18 | RA2113: List hosts communicated with external domain", "group": "Identification", "description": "List hosts communicated with an external domain using the most efficient way.  \n", "owner": ""}, {"order": 18, "title": "19 | RA2114: List hosts communicated with external IP", "group": "Identification", "description": "List hosts communicated with an external IP address using the most efficient way.  \n", "owner": ""}, {"order": 19, "title": "20 | RA2115: List hosts communicated with external URL", "group": "Identification", "description": "List hosts communicated with an external URL using the most efficient way.  ", "owner": ""}, {"order": 20, "title": "21 | RA2201: List users opened email message", "group": "Identification", "description": "List users who opened/read a particular email message using the Email Server's functionality.  \n", "owner": ""}, {"order": 21, "title": "22 | RA2202: Collect email message", "group": "Identification", "description": "Collect an email message using the most appropriate option:  \n\n- Email Team/Email server: if there is such option  \n- The person that reported the attack (if it wasn't detected automatically or reported by victims)  \n- Victims: if they reported the attack  \n- Following the local computer forensic evidence collection procedure, if the situation requires it\n\nAsk for the email in `.EML` format. Instructions:  \n\n  1. Drug and drop email from Email client to Desktop  \n  2. Archive with password \"infected\" and send to IR specialists by email  \n", "owner": ""}, {"order": 22, "title": "23 | RA2203: List email message receivers", "group": "Identification", "description": "List receivers of a particular email message using the Email Server's functionality.  ", "owner": ""}, {"order": 23, "title": "24 | RA2204: Make sure email message is phishing", "group": "Identification", "description": "Check an email and its metadata for evidences of phishing attack:  \n\n- **Impersonalisation attempts**: sender is trying to identify himself as somebody he is not  \n- **Suspicious askings or offers**: download \"invoice\", click on link with something important etc  \n- **Psychological manipulations**: invoking a sense of urgency or fear is a common phishing tactic  \n- **Spelling mistakes**: legitimate messages usually don't have spelling mistakes or poor grammar  \n\nExplore references of the article to make yourself familiar with phishing attacks history and examples.  \n", "owner": ""}, {"order": 24, "title": "25 | RA2205: Extract observables from email message", "group": "Identification", "description": "Extract the data for further response steps:  \n\n- attachments (using munpack tool: `munpack email.eml`)  \n- from, to, cc  \n- subject of the email  \n- received servers path  \n- list of URLs from the text content of the mail body and attachments  \n\nThis Response Action could be automated with [TheHive EmlParser](https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/).  \n", "owner": ""}, {"order": 25, "title": "26 | RA3101: Block external IP address", "group": "Containment", "description": "Block an external IP address from being accessed by corporate assets, using the most efficient way.  \n\nWarning:  \n\n- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action   \n", "owner": ""}, {"order": 26, "title": "27 | RA3103: Block external domain", "group": "Containment", "description": "Block an external domain name from being accessed by corporate assets, using the most efficient way.  \n\nWarning:  \n\n- Be careful blocking doman names. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action   \n", "owner": ""}, {"order": 27, "title": "28 | RA3105: Block external URL", "group": "Containment", "description": "Block an external URL from being accessed by corporate assets, using the most efficient way.  \n", "owner": ""}, {"order": 28, "title": "29 | RA3201: Block domain on email", "group": "Containment", "description": "Block a domain name on an Email Server using its native filtering functionality.  \n", "owner": ""}, {"order": 29, "title": "30 | RA3202: Block sender on email", "group": "Containment", "description": "Block an email sender on an Email Server using its native filtering functionality.  \n", "owner": ""}, {"order": 30, "title": "31 | RA3203: Quarantine email message", "group": "Containment", "description": "Quarantine an email message on an Email Server using its native functionality.  \n", "owner": ""}, {"order": 31, "title": "32 | RA4001: Report incident to external companies", "group": "Eradication", "description": "Report incident to external security companites, i.e. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/).  \nProvide all Indicators of Compromise and Indicators of Attack that have been observed.  \n\nA phishing attack could be reported to:  \n\n1. [National Computer Security Incident Response Teams (CSIRTs)](https://www.sei.cmu.edu/education-outreach/computer-security-incident-response-teams/national-csirts/)  \n2. [U.S. government-operated website](http://www.us-cert.gov/nav/report_phishing.html)  \n3. [Anti-Phishing Working Group (APWG)](http://antiphishing.org/report-phishing/)  \n4. [Google Safe Browsing](https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en)  \n5. [The FBI's Intenet Crime Complaint Center (IC3)](https://www.ic3.gov/default.aspx)  \n\nThis Response Action could be automated with [TheHive and MISP integration](https://blog.thehive-project.org/2017/06/19/thehive-cortex-and-misp-how-they-all-fit-together/).  \n", "owner": ""}, {"order": 32, "title": "33 | RA4201: Delete email message", "group": "Eradication", "description": "Delete an email message from an Email Server and users' email boxes using its native functionality.\n", "owner": ""}, {"order": 33, "title": "34 | RA5101: Unblock blocked IP", "group": "Recovery", "description": "Unblock a blocked IP address in the system(s) used to block it.  \n", "owner": ""}, {"order": 34, "title": "35 | RA5102: Unblock blocked domain", "group": "Recovery", "description": "Unblock a blocked domain name in the system(s) used to block it.  \n", "owner": ""}, {"order": 35, "title": "36 | RA5103: Unblock blocked URL", "group": "Recovery", "description": "Unblock a blocked URL in the system(s) used to block it.  \n", "owner": ""}, {"order": 36, "title": "37 | RA5201: Unblock domain on email", "group": "Recovery", "description": "Unblock an email domain on an Email Server using its native functionality.  \n", "owner": ""}, {"order": 37, "title": "38 | RA5202: Unblock sender on email", "group": "Recovery", "description": "Unblock an email sender on an Email Server using its native functionality.  \n", "owner": ""}, {"order": 38, "title": "39 | RA5203: Restore quarantined email message", "group": "Recovery", "description": "Restore a quarantined email message on an Email Server using its native functionality.  \n", "owner": ""}, {"order": 39, "title": "40 | RA6001: Develop incident report", "group": "Lessons Learned", "description": "Develop the Incident Report using your corporate template.  \n\nIt should include:  \n\n1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)  \n2. Detailed timeline of adversary actions mapped to [ATT&CK tactics](https://attack.mitre.org/tactics/enterprise/) (you can use the [Kill Chain](https://en.wikipedia.org/wiki/Kill_chain), but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)  \n3. Detailed timeline of actions taken by Incident Response Team  \n4. Root Cause Analysis and Recommendations for improvements based on its conclusion  \n5. List of specialists involved in Incident Response with their roles  \n", "owner": ""}, {"order": 40, "title": "41 | RA6002: Conduct lessons learned exercise", "group": "Lessons Learned", "description": "The Lessons Learned phase evaluates the team's performance through each step. \nThe goal of the phase is to discover how to improve the incident response process.  \nYou need to answer some basic questions, using developed incident report:  \n\n- What happened?  \n- What did we do well?  \n- What could we have done better?  \n- What will we do differently next time?  \n\nThe incident report is the key to improvements.  \n", "owner": ""}], "description": "Response playbook for Phishing Email case\n\nWorkflow:\n\n1. Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)\n2. Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts\n3. If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook\n4. Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time\n", "name": "RP0001: Phishing email", "status": "Ok", "severity": 2, "titlePrefix": "", "tags": ["attack.initial_access", "attack.t1566.001", "attack.t1566.002", "phishing"]}